Enterprise computing systems employ mechanisms for logging various types of user activity. The resulting auditable logs are intended to provide technical information and/or to satisfy applicable legal requirements.
Typically, a client system maintains a log of its own users' activity, and this activity is also reflected in a log maintained by a server system with which the client system interacts. An identifier such as a username is used to associated client activity, which is logged on the client system, with corresponding server activity as logged by the server system. However, enterprise computing systems are increasingly distributed into substantially independent systems, each of which may be associated with its own user management/identity store. Such a configuration is not amenable to traditional approaches for logging user activity.
FIG. 1 illustrates cloud deployment 100 including a three-layered stack. Software-as-a-Service (SaaS) layer 110, Platform-as-a-Service (PaaS) layer 120, and Infrastructure-as-a-Service (IaaS) layer 130 include respective logs 114, 124 and 134 for logging user activities associated with each layer. However, since each layer 110, 120 and 130 is governed by a different respective user management service 112, 122 and 132, the user basis for each layer's logging differs.
The layers of cloud deployment 100 include many different entities. For example, Independent Software Vendor (ISV) 140 may only require access to SaaS layer 110, whereas Cloud Service Provider 150 may require access to PaaS layer 120 and IT Consultant 160 may require access to all layers. This architecture results in a web of access patterns and log locations which is not easily auditable.
For example, ISV 140 may log locally that the employee Mr. Smith is logged on to the ISV's systems and has accessed a customer cloud system. However, per an established custom, Mr. Smith is not associated with a personalized user in the customer cloud system, but is assigned a temporary (and anonymous) technical support user by the customer cloud system. The respective layer (i.e., SaaS layer 110) then logs the access and activities of this technical support user. The link between log 114 of SaaS layer 110 and Mr. Smith is severed from an auditability point of view and may only be reconstructed via the cumbersome process of analyzing the ISV's logs and logs 114, 124 and 134 to determine the association between Mr. Smith and the technical support user.